TransWikia.com

How to fix OpenSSL Padding Oracle vulnerability (CVE-2016-2107) for nginx on debian jessie?

Server Fault Asked by allo on December 26, 2020

As far as i understood, it should be sufficient to upgrade openssl (done a long time ago, now installed all available updates again (no openssl there)) and restart nginx.
I even tried to stop nginx fully (verified it with ps) and start it again.

But ssllabs still tells me, that i am vulnerable. What else do i need to do, or what can be causing that its still vulnerable?

versions:

ii  nginx                              1.9.10-1                          all          small, powerful, scalable web/proxy server
ii  nginx-common                       1.9.10-1                          all          small, powerful, scalable web/proxy server - common files
ii  nginx-full                         1.9.10-1                          amd64        nginx web/proxy server (standard version)
ii  openssl                            1.0.1t-1+deb8u2                   amd64        Secure Sockets Layer toolkit - cryptographic utility

ii  libssl-dev:amd64                   1.0.1t-1+deb8u2                   amd64        Secure Sockets Layer toolkit - development files
ii  libssl-doc                         1.0.1t-1+deb8u2                   all          Secure Sockets Layer toolkit - development documentation
ii  libssl1.0.0:amd64                  1.0.1t-1+deb8u2                   amd64        Secure Sockets Layer toolkit - shared libraries
ii  libssl1.0.2:amd64                  1.0.2f-2                          amd64        Secure Sockets Layer toolkit - shared libraries

lsof related to nginx

lsof 2>/dev/null |grep -i libssl|grep nginx
nginx     17928              root  mem       REG              251,0    430560    2884885 /usr/lib/x86_64-linux-gnu/libssl.so.1.0.2
nginx     17929          www-data  mem       REG              251,0    430560    2884885 /usr/lib/x86_64-linux-gnu/libssl.so.1.0.2
nginx     17930          www-data  mem       REG              251,0    430560    2884885 /usr/lib/x86_64-linux-gnu/libssl.so.1.0.2
nginx     17932          www-data  mem       REG              251,0    430560    2884885 /usr/lib/x86_64-linux-gnu/libssl.so.1.0.2
nginx     17933          www-data  mem       REG              251,0    430560    2884885 /usr/lib/x86_64-linux-gnu/libssl.so.1.0.2

3 Answers

I got it.

I installed certbot from debian unstable, which installed 1.0.2f-2. unstable is pinned to priority "-100" (do not install from unstable unless requested with -t unstable). This means the version is between the jessie version 1.0.0X-Y and the current unstable version 1.0.2.h-1. This prevented an upgrade to the next version in unstable, while the upgrade in stable is an "older" version with respect to the version number.

Correct answer by allo on December 26, 2020

Installing the necessary updates ( as suggested by https://serverfault.com/users/126632/michael-hampton in the comments ) seems to fix the issue for me.

apt-get update && apt-get upgrade

Answered by drinchev on December 26, 2020

I had a similar issue on a Debian Wheezy Server. https://www.ssllabs.com/ssltest/ always showed that my server was vulnerable to CVE-2016-2107. Other servers ,with (in my opinion) same config, did not have this security issue.

openssl, apache, php - all the same versions and same config.

After some investigation i found out that mod_spdy was installed and activated on this particular server.

After uninstalling mod_spdy the issue was solved.

dpkg -r mod-spdy-beta 
dpkg -P mod-spdy-beta

from https://stackoverflow.com/questions/25593257/how-do-i-remove-spdy-mod-spdy

Answered by Martin Seitl on December 26, 2020

Add your own answers!

Ask a Question

Get help from others!

© 2024 TransWikia.com. All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP